Tuesday, 27 April 2010

Unless they are involved in covert operations or otherwise excepted under contract, operational vehicles will clearly display theorganisation’s name, badge or logo and telephone number.

OPERATIONAL VEHICLES NEED TO BE:

1. Appropriate for intended use; if there is a requirement for specified or particular vehicles e.g. 4 wheel drive.

THE ALTERNATIVE ROUTE

a) Liquefied Petroleum Gas (LPG) vehicles use a fuel whichis both cheaper and cleaner than petrol and some manufacturers.The LPG-converted Smart car is one of the leaders in thisparticular class and certainly a vehicle to be considered.b) Compressed Natural Gas (CNG) is another alternative fueland even cleaner than LPG, Volvo offer most of their range withthis option, however there are fewer than 50 filling stationsaround the country, therefore it is unlikely to be a serious contenderat the moment.c) Electric cars have been available for some time. However,their short range still dictates that they remain largely restrictedto the role of internal perimeter run-around, but with zero directemissions at street level, they make a significant contribution to reducing pollution. However, the electricity they use demandsthem to be regularly plugged into the grid to recharge – so theycannot be regarded as entirely “green” as they are sometimesseen. Never-the-less, the electric G-Wiz – is probably the “greenestcar available” – with its 40mph top speed and a range of 40miles, is well worth considering.

HYBRIDS

Although there are not many types of hybrid car currently on salein the UK, they are probably the most practical option available– combining a small conventional petrol or diesel engine with anelectric generator/motor unit. This replaces both the traditionalstarter motor and the alternator, allowing the engine to generateelectricity to power the motor. When the motor is not being driven– when the car is going downhill or when braking heavily, forinstance – the electricity generated is diverted to top up the batterypack instead. Most of today’s production models have boththe engine and the motor connected to the car’s transmissionsystem, allowing the vehicle to run as much as possible just onelectric power and only using its internal combustion engine togive extra power when needed. Generally hybrids carry a 10 –20 per cent higher price tag than similar conventional vehicles,but they do benefit from low road tax and they do have significantlylower CO2 level emissions. Vehicles such as the HondaCivic IMA, the Lexus 400h SUV and the Toyota Prius are certainlyworth considering about.

2. Carrying a two way communications device, mobilephone or radio.

3. Inspected by the organisation Operations Managerat least once per month, and daily by the driver, toensure that they are roadworthy; checking:

• Fuel.• Engine Oil.• Coolant.• Lights, head, side, reverse, fog, instrument panel, indicators,and 4 way hazard indicators.• Windscreen Wipers and Washers.• Brakes.• Tyres including spare wheel, condition and inflation.• Jack and wheel-brace.• Tax disc.• Serviced regularly; in accordance with manufacturer’sinstructions; service history is to be kept in control room,copies of servicing, repairs, insurance and MOT documentsheld in vehicle.• Repaired as soon as possible, when damage is found;• Kept clean and tidy, by the driver.

VEHICLES CARRYING KEYS

Where required an appropriate safe should be installed as perBS 7499.OTHER EQUIPMENTThe equipment listed below will be considered in line with theuse, manning and deployment of the vehicle and where requiredwill be provided.

Records should be kept of all equipment issued. Employeesshould be required to sign for equipment and uniforms received,and to give an undertaking to return equipment on terminationof their employment.

Records of equipment calibrated and/or repaired are kept andmaintained in the office for at least 12 months.Records of vehicle maintenance and repair will be kept in theoffice for the period of ownership of the vehicle.

Protecting your employees from possible dangers at work is thelaw and the most effective way of doing so is by performing arisk assessment.

DON’T LET THE RISKS GO UNNOTICED

It is very easy for potential health risks to go unnoticed in dayto-day working life, carrying out your job role. A work riskassessment highlights clear-cut measures that can effectivelycontrol risks within the workplace. The assessment does so byexamining where and what in your business could cause harm,helping you weigh up whether or not you have taken sufficientsafety precautions.

Carrying out a work risk assessment not only protects your workforcebut also the welfare of your business. Accidents at workcan ruin lives, result in less work output, damage machinery andincrease insurance costs. By implementing a plan to control therisks means that you are adhering to the law and protecting yourworkforce as well as your business.

IDENTIFY THE HAZARDS

Recognising the hazards is the ideal place to start when assessingthe risks in your workplace. If you are a small company thenyou are more than likely able to identify the hazards and carryout the risk assessment yourself. If your company consists ofmany people with varying job roles then it is recommended thata health and safety expert is called on. If you work in a largecompany then it is advised that you involve your staff or theirrepresentatives to ensure your work risk assessment is carriedeffectively. Recognising the hazards doesn’t need to be a complicatedprocess and the obvious risks will be easy to identify andprevention methods simple to implement. Start by taking a walkaround the workplace identifying possible hazards. Ask youremployees or representatives for their perspective. Consult manufacturersinstructions and accident records to help discover lessobvious hazards.

Once potential hazards are identified, matching them to their relevantjob role is key. This will identify the most efficient way tomange the risks. After evaluating the risks in the workplace, theprecautions should be finalised with the law stating the need todo everything reasonably practicable to protect your workforcefrom harm. It is advised that you carry out research on risk control good practice and compare this to the precaution solutionthat you have drawn up. This should bring you up to speedwith current standards and help to implement your plan ofaction. Remember that the precautions put in place do not needto be expensive. A small cost implementing your plan could saveyour business a lot of money in long term insurance costs.

RECORD YOUR FINDINGS

It is recommended that you record your work risk assessmentfindings for future reference share these with your employees.These will help with future updates and comparisons. Reviewingyour work risk assessment should take place when updates toprocedures or machinery occur within the company. This willkeep your control plans up to date and minimise the risk of accidentsand injuries in the workplace.

• To identify any weaknesses in the physical securityof a company.• To prove the current systems.

What is it that needs protecting?

• Information• Product• Systems• Staff

WHAT IS A PENETRATION TEST?

A PPT is a simulated attack against your company’s securitydefences. It is designed to replicate an attack to see if your securitycan be compromised. The primary aim is to identify securityweaknesses before real attackers have the chance to. Oncesecurity weaknesses have been identified, your organisation canstart treating the associated risks.

An example attack may be to target a specific service, processor operation within your business, site or plant by using ‘socialengineering’, or ‘deception’ e.g. an employee holds a secure dooropen for visitor or someone they do not know, but that personlooks like they should be there, inspector, auditor etc, so what isthe harm? ‘Tailgating’ as it is known, is a simple method ofbypassing building security systems or following employees tolunch, eating near them, and taking notes.

Why conduct a PPT?

A PPT identifies the security weaknesses and strengths of a company’sphysical security. The goal of the test is to demonstratethe existence or absence of deficiencies concerning physicalsecurity. Penetration testing should be considered an important part of any ongoing security programme. These tests can be particularlyuseful in attracting the attention of senior management.The results of a penetration test can show the organisationalwide consequences of a breach and help to ensure buy-in fromall levels of the organisation.

Remember “an ounce of prevention is worth a pound of cure”Organisations typically conduct PPT with the aim of identifyingvulnerabilities which could result in some form of loss. Loss maybe specific to each business but there are some forms of lossthat can apply to all businesses.Immediate financial loss is obvious in the case of an attack toremove money or stock from an organisation. However, therecan also be indirect costs associated with a security incident. Forexample, the cost associated with increased insurance premiumsor the costs of possible regulatory breaches which could run intotens, if not hundreds, of thousands of pounds.Losses are not just financial. An organisation can suffer significantreputation damages particularly in the food, pharmaceuticalsand IT industries. A security breach could lead to a decreasein client trust which could then lead to a drop in sales.

PPT EXECUTION

PPT is typically conducted using a structured approach aroundthe following key phrases:• Discovery• Enumeration (listing of findings one by one)• Vulnerability Mapping• Exploitation

Each phase feeds into the next making it an integrated process.

Discovery

The discovery phase can be thought of as reconnaissance. Thediscovery process will aim to map out the attack for the test. Thediscovery phase will highlight possible attack vectors based onthe information gathered.

Enumeration

The enumeration phase will gather more detailed informationabout the information gathered in the discovery phase such asdetail of sensitive/vital information, product, systems and staffthat can directly and/or immediately affect the operations of anorganisation including access, information, product, systems andstaff.

Vulnerability Mapping

The vulnerability mapping phase will attempt to identify weaknessesin the services/systems/procedures/facilities enumeratedin the previous phase.Once sufficient detail has been obtained, the tester can identifyweaknesses in the service/system/procedure/facility being testedThis information can then be fed into the final test phase,exploitation.

Exploitation

The exploitation phase is designed to demonstrate that a securityweakness exists and can be used by an attacker. The testeraims to compromise the system using a weakness identified inthe previous phases, i.e. the testing officer could obtain unauthorisedphysical access to a facility using non technical means.

POST PPT

The final and most important deliverable to an organisation whohas commissioned a penetration test is the final report. The finalreport is so significant because it conveys and documents thesecurity risks identified during the test in a way that is meaningfulto the organisation.

A PPT report is likely to be read by senior management downthrough to junior managers who are responsible for remedialchanges. A good PPT report will provide information for all theintended audience types.

WHAT TO CONSIDER WHEN BEING PPT?

When an organisation decides to conduct a PPT there are severalkey points to consider prior to the commencement of the test:

• Use an independent security provider. They will be immunefrom internal distractions and are focussed on the key issuesof your security.• Seek demonstration of providers’ experience. Provenexperience will help to understand the providers’ capabilitiesand will provide confidence in the providers’ abilities.• Ensure the testing provider utilises proven stingmethodologies. Proven testing methodologies ensure thatthe tests being conducted will produce consistent and reliableresults.• Never utilise penetration tests as a substitute for an holisticsecurity programme. A penetration test is an important partof your security programme, not a substitute for one.

A well planned PPT can help an organisation identify their securityvulnerabilities. This pro-active approach can help identifyrisks before malicious attacks occur and protect an organisationfrom post attack fall-out.

This has been a tough year for British businesses. Many strong and long standing companies have fallen and many may still yet fall. That said, for the businesses that are still trading, some showing true grit and resilience in this unpredictable climate, there are yet more risks to be assessed.

There are both internal and external threats to consider. People behave differently under pressure and it has never been more true that “desperate times call for desperate measures”.Businesses are under constant threat from competitors and indeed desperate employees who may believe that their employment is no longer secure. Unemployment is at its highest since 1995. In a recent survey entitled ‘The recession and its effects on work ethics’, carried out among 250 office workers in London’s busy Canary Wharf, a staggering 60% admitted they would take valuable data with them (if they could get away with it) were they faced with redundancy or the sack. Remarkably, 40% confessed to having already snooped around the networks and downloaded sensitive company secrets from under their bosses nose in anticipation that they could lose their job.

IS IT TIME YOUR BUSINESS HAS A HEALTHCHECK?

With all this going on internally added to the usual business pressures of your competitors trying to get an edge, add to that the terror threat that could face any business and load on the possibility of random vandalism and general crime. It’s probably time you gave your business a security health check.

Carry out a risk assessment to decide on the threats you might be facing and their likelihood. Identify your vulnerabilities and the potential impact of exploitation. Act on these risks. Decide on a plan to eliminate or reduce these risks. Implement it, consider the risks, identify a problem and act to reduce the risk.

If acquiring or extending premises, consider security at the planning stage. It will be cheaper and more effective than adding measures later. Security ofyour business should be at the heart of all new projects. Speak to your current provider for guidance or contact a consultant if you are unsure what is required.

Make security awareness part of your organisation's culture and ensure security is represented at a senior level. Security should not be left to a junior staff member. Whether it be IT security to physical security board members should be involved and accept ultimate responsibility for the businesses decisions that are made.

areas tidy and well-lit, remove unnecessary furniture and keep garden areas clear. These basic steps have foiled many an attempt to cause harm to a business or individual. It also acts as a deterrent as visibility is clearer therefore the chances of being seen higher.

Keep access points to a minimum and issue staff and visitors with passes. Where possible, do not allow unauthorised vehicles close to your building. An efficient reception area is essential to controlling access, with side and rear entrances denied to all but authorised people. Keep access points to a minimum and make sure the boundary between public and private areas of your building is secure and clearly signed. Invest in good quality access controls such as magnetic swipe identification cards or 'proximity' cards which are readable from a short distance. If a staff pass system is in place, insist that staff wear their passes at all times and that their issuing is strictly controlled and regularly reviewed. Visitors should be escorted and should wear clearly marked temporary passes, which must be returned on leaving. Anyone not displaying security passes should either be challenged or reported immediately to security or management. Consider introducing a pass system if you do not have one already.

Install appropriate physical measures such as locks, alarms, CCTV surveillance, complementary lighting and glazing protection. Contact your own or a reputable security provider to discuss systems that could be introduced that may compliment or replace your existing systems and that are within your budget.

Examine your mail-handling procedures

When recruiting staff or hiring contractors, check identities and follow up references. Staff should be vetted correctly. You are allowing these people full or partial access to your business. You must be sure you know as much about them as is possible. You must be sure they have not recently been in prison or have had extended holidays out of the UK. Did you check their references thoroughly before you let them swipe in or log on? If you haven’t got the time or ability to do this you should absolutely outsource this immediately.

Consider how best to protect your information and take proper IT security precautions. Examine your methods for disposing of confidential waste. Trust is not a security policy.Plan and test your business continuity plans, ensuring that you can continue to function without access to your main premises and IT systems. This is key toany business. Everyone is liable to flood at some point, be shut down by a highly contagious illness, suffer a fire in the premises or just have the main server blow up. What if the water supply to your site broke and all staff had to be sent home? Terrorism is a real threat that should not be over looked but perhaps a more realistic danger for your business is Swine Flu, Norovirus, no heating or a burst water pipe. All thesecould stop your business functioning.

SHOULD YOU CONTACT A SECURITY CONSULTANT?

Your security supplier should be able to help with all these issues and help you work your way through your health check. If your security is in house perhaps it would be worth contacting a consultant to assist with the health check, testing your current provisions and creating a plan.

You have a car park. People park everywhere. Staff and customers can't find a space. Do you know about the different options available to you?

Of course there are the dreaded clampers; we have all heard the horror stories in the press of rogue clampingcompanies that charge ridiculous prices for release of acar that should not have been clamped in the first place.

In recent years there have been many changes to parking regulations, with the latest addition being that private land owners may now manage their land as the council would manage its streets. Civil Enforcement is not only for the governmentbut also for anyone with a site that people trespass onto and park. Parking tickets may now be issued, and followed through, as your local council would.

Parking Charge Notices have been widely used throughout the UK for many years by local authorities and now private land owners can also benefit from this enforcement system. This has proved to be the most effective deterrent and cost effective solution, to eliminate unauthorised parking on any private land. With more and more vehicles on the roads than ever before and a poor public transport system, if you happen to provide parking for staff, customers, visitors etc, unauthorised vehicles have become more of an issue. The management of this problem is regulated by the British Parking Association who approves companies to use this system under their guidance.

BPA (BRITISH PARKING ASSOCIATION)

As the recognised authority within the parking industry, the BPA represents, promotes and influences the best interests of the parking and traffic management sectors throughout the UK and Europe.

The BPA commissioned the Childs Report which was completed in June 2005 and was a wide ranging and authoritative review of the first 10 years of Decriminalised Parking Enforcement. The report included 44 recommendations for improvement and many of these are within the new guidance for implementation of Civil Parking Enforcement.

BPA has developed the RECiPE project to assist and guide members to Realise Excellent Civil Parking Enforcement. Realising excellence in Parking is the BPA’s main mission.

WHAT IS A MANAGED CAR PARKING SERVICE?

A managed car parking service is available to most people who own land that they wish to limit parking on. It involves the use of civil parking enforcement to ensure the smooth running of your site or carpark.

Permits are issued to all those authorised to use the car parking and parking attendants can then cleanse the car park for all those vehicles who park without your authorisation.

SO WHO SHOULD YOU CHOOSE TO HELP YOU WITH THIS?

There are many companies in the UK offering parking enforcement packages for private carparks. These can easily be found on the internet but how can you be sure of the quality of the service they offer? The Car Parking Partnership was formed to bring the necessary credibility and experience to off street civil parking enforcement. Civil parking enforcement is often a grey area and many private car park owners feel they have no lawful wayof controlling their car parks. The CPP believe in keeping enforcement clear and simple. You need to choose a package that will run your car park in a non-confrontational and totally effective way.

IS THIS SCHEME REALLY FOR YOU?

Any private company who experience problems with parking in their carparks will benefit from this professional service. From small car parks with as few as 5 spaces, to larger sites such as sports halls or shopping centres will benefit.

YOU COULD GENERATE INCOME FROM THIS

When negotiating your package with your managed car park partner it is possible to agree a share of the income generated from ticketing illegally parked vehicles. Dependant on the size of your car park and the estimated revenue expected from your site you can negotiate a percentage that could generate you a considerable amount of cash.This can also be applied to any land you have currently not in use.

Your new and improved Security Guide is here to provide you with all the up to date current news, hot topics and developments within the Security Industry. Each article will help you, as buyers of security, to build an informative and usable guide highlighting the services that are available to you, enabling you to make more informed choices.

You shall recieve Monthly Security Articles to add to your guide, these articles will contain vital information regarding all aspect of security and we hope you will find them useful when considering you own security requirments.

You shall also recieve the occasional email to ensure that you are happy with your guide and the articles provided, this service also allows you to have your say in what you read in your articles and guide. We would love to hear your views and opinions on potential new articles and feedback on current articles.

If you think you have missed your monthly article, or require copies for colleagues, please do not hesitate to contact a member of our team on 0845 603 7994 or email us at enquiries@impactsecurity.co.uk and we will be able to provide you with your article. We can provide all articles as hard copies or, for your convenience and environmental policy, a PDF file.Cant wait for our next article? Visit our webiste at www.impactsecurity.co.uk to browse through all our available services, we regualrly update our site with new information to help keep you informed of all new develpoments.

We hope that you find ‘Your Security Guide’ a useful tool in helping you stay up to date on current topics and a good reference point when making decisions regarding your own security requirments.